Comments on: Do We Really Need Malware Analysis?

By: The Sad State of Computer Security « Indefinite Studies

The Sad State of Computer Security « Indefinite Studies — Fri, 20 Nov 2009 16:27:55 +0000

[...] know that compiled programs are impossible to analyze. I already explained that bit in a post about malware analysis. The good side is that if we wanted, we could make programs statically analyzable (security-wise). [...]

By: Sven Türpe

Sven Türpe — Fri, 18 Sep 2009 21:25:13 +0000

Good point, a program should only do things that you are aware of, or maybe things that you would approve of if you were aware it is doing them. But I don’t see how this could be formalized and automatically determined: this definition implies that any program can be both harmful/malicious and harmless, depending solely on the awareness, intentions and expectations of the person running it.

Perhaps a probabilistic definition is more suitable. Some behaviors of a program or effects of program execution are more likely to be found in malicious/harmful programs than they are in harmless ones. Self-replication into other programs or machines is perhaps the most obvious example.

By: dan

dan — Fri, 18 Sep 2009 20:53:09 +0000

I agree there are some cases where you know a program won’t hurt you. That explains the success of Flash programs for instance.

But I’m not sure how reasoning about “harmful” solves the problem, because most programs can be harmful in some way. For instance, formatting a hard drive is clearly harmful, but it is only malicious if I did not intend dancingbunnies.exe to format my hard drive. This is an extreme example, but I think in most cases intent matters.

By: Sven Türpe

Sven Türpe — Fri, 18 Sep 2009 19:16:43 +0000

For some subsets of the programs out there I can answer a slightly modified question without even looking at the program. The modification is to replace malicious with harmful; I prefer considering effects, not intentions. Any program not executed on my machine is definitiely not potentially harmful since it has no chance of doing any harm to me. Any program properly confined to a sandbox is also not potentially harmful (unless the sandbox has a problem, and within the definition of harm underlying the sandbox design). Any program executed on a machine without any assets on it is not potentially harmful to this machine (it may be to others). These examples suggest that we have plenty of ways of limiting harm without knowing what individual programs may do or not do. Again, what exactly are the promises of malware analysis?

By: dan

dan — Fri, 18 Sep 2009 10:45:08 +0000

The purpose of malware analysis should be to answer the question “is this piece of program potentially malicious ?”
The problem is: we really don’t know how to do that. Dealing with the “potentially” part is intractable in the worst case (I can give examples). And it’s somewhat pointless, since we don’t know what “malicious” means anyway.

By: Sven Türpe

Sven Türpe — Fri, 18 Sep 2009 10:00:03 +0000

Let us generalize the question: to which extent do we need to understand attaks in order to produce working defenses? I am a software security tester, and I often don’t care about details. Abstractions are sufficient in many cases. For instance if a system allows unauthorized parties to execute program code in a trust domain they should have only limited access to, this is always bad, no matter how the code is designed. On the other hand I may care about those details that matter for getting the code into this trust domain.

So what are the promises of malware analysis?

By: dan

dan — Thu, 17 Sep 2009 07:18:03 +0000

If I wasn’t doing malware analysis, I would probably be playing in a rock band right now. *That* would be cool ;)

By: Benjamin

Benjamin — Thu, 17 Sep 2009 00:14:00 +0000

Good that accident happened. It made your life so damn cool!